Any sufficiently advanced technology is in distinguishable from magic.

Steam patches flaw that exposed user profiles to drive-by attacks

Yesterday, news broke that Steam was affected by a cross-site scripting vulnerability that could compromise Steam account safety or be used to steal user data. The problem has since been corrected, and it’s now safe to view profiles and activity feeds (kudos to Valve for patching this specific issue rapidly).

A cross-site script vulnerability is a vulnerability that allows attacks to be injected into websites viewed by other users. There are a variety of methods and subtypes, but the basic idea is the same — an attacker uses a web application to inject malicious data into a request for “clean” information. The host website believes it is serving valid data and your browser believes it has received clean data. In reality, what it’s been handed is something altogether different.

A generic cross-scripting attack.

It’s not clear if the problem was solely fixed server-side or if there’s a new client update you’ll need to install first; we recommend checking for any such updates to be on the safe side. Moderator DirtDiglett, who created the proof of concept to document this exploit, explained it could be used for a variety of nasty objectives. All you had to do to trigger the issue was visit a page with a malicious Steam Profile.

The attack could redirect users to non-Steam pages designed to look like Steam and capture login and password info (this is a combined phishing and malware attack strategy). It could also be used to spend marketing funds in the users’ account on anything the malicious user wished (since the victim is already logged in), or to manipulate other page elements as they see fit.

Only profiles that were at least level 10 were impacted, and the issue was related to Steam’s “My Guides showcase.” Scripts placed in a guide’s title section were then executed (Favorite Guide was not vulnerable, only the multi-guide showcase). Either way, it’s a potentially serious problem that could’ve caused headaches for a lot of users.

If you feel you may have been affected by this problem, you need to activate two-factor authentication for your account via Steam Guard, change your passwords, de-authorize all systems that have been given permission to access your account, and reset your cable modem and router to also change your own IP address. If you were affected by this attack and had cash stolen from you, contact Steam customer service to address it. Valve’s reputation for speedy customer service isn’t great, but the company is clearly treating this as a serious flaw.